CVEs from 2014
Total
7,871
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
9.8%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-5423 | low | — | 1.9 | 12y ago | CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 allows local users to obtain potentially sensitive information by reading a temporary (1) debugging file or (2) developer file. | |||
| CVE-2014-4822 | low | — | 1.9 | 12y ago | IBM WebSphere MQ classes for Java libraries 8.0 before 8.0.0.1 and Websphere MQ Explorer 7.5 before 7.5.0.5 and 8.0 before 8.0.0.2 allow local users to discover preconfigured cleartext passwords via … | |||
| CVE-2014-4447 | low | — | 1.9 | 12y ago | Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs. | |||
| CVE-2014-6540 | low | — | 1.9 | 12y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, before 4.2.26, and before 4.3.14 allows local users to affect availability via vecto… | |||
| CVE-2014-4421 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |||
| CVE-2014-4420 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |||
| CVE-2014-4419 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |||
| CVE-2014-4386 | low | — | 1.9 | 12y ago | Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access. | |||
| CVE-2014-4384 | low | — | 1.9 | 12y ago | Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle. | |||
| CVE-2014-4371 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |||
| CVE-2014-5036 | low | — | 1.9 | 12y ago | The Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell Equallogic SAN is used, logs the CHAP user credentials, which allows local users to obtain sensitive in… | |||
| CVE-2014-0974 | low | — | 1.9 | 12y ago | The boot_linux_from_mmc function in app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other produ… | |||
| CVE-2014-0179 | low | — | 1.9 | 12y ago | libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction … | |||
| CVE-2014-5030 | low | — | 1.9 | 12y ago | CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. | |||
| CVE-2014-4652 | low | — | 1.9 | 12y ago | Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users t… | |||
| CVE-2014-1352 | low | — | 1.9 | 12y ago | Lock Screen in Apple iOS before 7.1.2 does not properly enforce the limit on failed passcode attempts, which makes it easier for physically proximate attackers to conduct brute-force passcode-guessin… | |||
| CVE-2014-3956 | low | — | 1.9 | 12y ago | The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access uninte… | |||
| CVE-2014-3716 | low | — | 1.9 | 12y ago | Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel. | |||
| CVE-2014-2893 | low | — | 1.9 | 12y ago | The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directo… | |||
| CVE-2014-1515 | low | — | 1.9 | 12y ago | Mozilla Firefox before 28.0.1 on Android processes a file: URL by copying a local file onto the SD card, which allows attackers to obtain sensitive information from the Firefox profile directory via … | |||
| CVE-2014-0076 | low | — | 1.9 | 12y ago | The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces… | |||
| CVE-2014-0017 | low | — | 1.9 | 12y ago | The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared be… | |||
| CVE-2014-1281 | low | — | 1.9 | 12y ago | Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the P… | |||
| CVE-2014-0135 | low | — | 1.9 | 12y ago | Kafo allows local users to obtain passwords and other sensitive information by reading default_values.yaml | |||
| CVE-2014-0890 | low | — | 1.9 | 12y ago | The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, and 9.0.0.1, when a certain com.ibm.collaboration.realtime.telephony.*.level setting is used, logs cleartext passwords… | |||
| CVE-2014-0058 | low | — | 1.9 | 12y ago | The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by rea… | |||
| CVE-2014-0018 | low | — | 1.9 | 13y ago | Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (… | |||
| CVE-2014-0019 | low | — | 1.9 | 13y ago | Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CON… | |||
| CVE-2014-1446 | low | — | 1.9 | 13y ago | The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from ke… | |||
| CVE-2014-4812 | low | — | 1.8 | 12y ago | The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to thi… | |||
| CVE-2014-2926 | low | — | 1.7 | 12y ago | kapfa.sys in Kaseya Virtual System Administrator (VSA) 6.5 before 6.5.0.17 and 7.0 before 7.0.0.16 allows local users to cause a denial of service (NULL pointer dereference and application crash) via… | |||
| CVE-2014-2603 | low | — | 1.7 | 12y ago | Unspecified vulnerability on HP 8/20q switches, SN6000 switches, and 8Gb Simple SAN Connection Kit with firmware before 8.0.14.08.00 allows remote authenticated users to obtain sensitive information … | |||
| CVE-2014-1444 | low | — | 1.7 | 13y ago | The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive informati… | |||
| CVE-2014-3931 | unknown | — | 1.5 | 11mo ago | Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption. | |||
| CVE-2014-2120 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML… | |||
| CVE-2014-0502 | unknown | — | 1.5 | 2y ago | Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code. | |||
| CVE-2014-4123 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer contains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. | |||
| CVE-2014-8439 | unknown | — | 1.5 | 4y ago | Adobe Flash Player has a vulnerability in the way it handles a dereferenced memory pointer which could lead to code execution. | |||
| CVE-2014-4077 | unknown | — | 1.5 | 4y ago | Microsoft Input Method Editor (IME) Japanese is a keyboard with Japanese characters that can be enabled on Windows systems as it is included by default (with the default set as disabled). IME Japanes… | |||
| CVE-2014-2817 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer cotains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. | |||
| CVE-2014-0546 | unknown | — | 1.5 | 4y ago | Adobe Reader and Acrobat on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context. | |||
| CVE-2014-4148 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when the Windows kernel-mode driver improperly handles TrueType fonts. | |||
| CVE-2014-9163 | unknown | — | 1.5 | 4y ago | Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely. | |||
| CVE-2014-0496 | unknown | — | 1.5 | 4y ago | Adobe Reader and Acrobat contain a use-after-free vulnerability which can allow for code execution. | |||
| CVE-2014-1776 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user. | |||
| CVE-2014-5029 | low | — | 1.5 | 12y ago | The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerabilit… | |||
| CVE-2014-0130 | unknown | — | 1.5 | 12y ago | Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted re… | |||
| CVE-2014-2485 | low | — | 1.4 | 12y ago | Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality via unknown vectors related to Integration Business Serv… | |||
| CVE-2014-6134 | low | — | 1.2 | 11y ago | IBM Rational ClearCase 8.0.0 before 8.0.0.14 and 8.0.1 before 8.0.1.7, when Installation Manager before 1.8.2 is used, retains cleartext server passwords in process memory throughout the installation… | |||
| CVE-2014-5177 | low | — | 1.2 | 12y ago | libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declarat… | |||
| CVE-2014-3537 | low | — | 1.2 | 12y ago | The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. | |||
| CVE-2014-2343 | low | — | 1.2 | 12y ago | Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows physically proximate attackers to cause a denial of service (excessive data processing) via a crafted DNP request over a serial line. | |||
| CVE-2014-2030 | unknown | — | 1.0 | — | Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary… | |||
| CVE-2014-1947 | unknown | — | 1.0 | — | Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary … | |||
| CVE-2014-9390 | unknown | — | 1.0 | 4y ago | Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; … | |||
| CVE-2014-4248 | low | — | 1.0 | 12y ago | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, and 12.2.3 allows local users to affect confidentiality via … | |||
| CVE-2014-2488 | low | — | 1.0 | 12y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via … | |||
| CVE-2014-8126 | unknown | — | — | — | The scheduler in HTCondor before 8.2.6 allows remote authenticated users to execute arbitrary code. | |||
| CVE-2014-1958 | unknown | — | — | — | Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld stri… | |||
| CVE-2014-0048 | unknown | — | — | — | An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways. | |||
| CVE-2014-3180 | unknown | — | — | — | In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting com… | |||
| CVE-2014-3519 | unknown | — | — | — | The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH cap… | |||
| CVE-2014-7210 | unknown | — | — | — | pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissi… | |||
| CVE-2014-8171 | unknown | — | — | — | The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup. | |||
| CVE-2014-8181 | unknown | — | — | — | The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garbage data for SG_IO buffer, which may leaking sensitive information to userspace. | |||
| CVE-2014-8561 | unknown | — | — | — | imagemagick 6.8.9.6 has remote DOS via infinite loop | |||
| CVE-2014-8178 | unknown | — | — | — | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a cra… | |||
| CVE-2014-5278 | unknown | — | — | — | A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. | |||
| CVE-2014-5282 | unknown | — | — | — | Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. | |||
| CVE-2014-8179 | unknown | — | — | — | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to injec… | |||
| CVE-2014-125087 | unknown | — | — | 3y ago | java-xmlbuilder vulnerable to XML External Entity Reference | |||
| CVE-2014-3599 | unknown | — | — | 4y ago | HornetQ REST vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2014-9720 | unknown | — | — | 4y ago | Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determi… | |||
| CVE-2014-4172 | unknown | — | — | 4y ago | Jasig Java CAS Client, .NET CAS Client, and phpCAS contain URL parameter injection vulnerability | |||
| CVE-2014-3643 | unknown | — | — | 4y ago | jersey: XXE via parameter entities | |||
| CVE-2014-3652 | unknown | — | — | 4y ago | JBoss KeyCloak Open Redirect | |||
| CVE-2014-3656 | unknown | — | — | 4y ago | JBoss KeyCloak Cross-site Scripting Vulnerability | |||
| CVE-2014-3607 | unknown | — | — | 4y ago | Improper Certificate Validation in vt-ldap | |||
| CVE-2014-3603 | unknown | — | — | 4y ago | Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java | |||
| CVE-2014-9356 | unknown | — | — | 5y ago | Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or… |